Select your language

In this article, you will learn what the OWASP Core Rule Set (CRS) is and how you can use it to protect your website.

What is the OWASP Core Rule Set?

The OWASP Core Rule Set (CRS) is a tool that you can use to protect your website against generic attacks. Attacks are considered generic if they target widespread security vulnerabilities rather than a specific application or technology. The CRS is a set of rules that can be used to detect such attacks. All requests to a website are analyzed according to these rules. If a request meets the criteria of one or more rules, access to the website is blocked. If not, then access is allowed.

The CRS thus helps to detect potential threats and increase the security of your website. It protects against a wide range of attacks, such as SQL injection and cross-site scripting. For more information on the most common attacks that the CRS protects against, please visit the OWASP Core Rule Set website.

The CRS is developed and maintained by Open Worldwide Application Security Project (OWASP), a non-profit organization that aims to improve the security of applications, services and software.

Usage at Hostpoint

OWASP CRS is disabled by default at Hostpoint. You can enable it yourself in the Hostpoint Control Panel. You can find out how to do this in the “Enabling OWASP CRS” section.

As the CRS rules are very strict, legitimate access requests may also sometimes be blocked. These are referred to as false positives. To avoid this, you can weaken or even deactivate the rules individually using exclusion plugins and exclude rules.

Exclusion plugins

There are plugins for some of the most common content management systems (CMS) (e.g. WordPress) that can be used to weaken the CRS rules. These plugins are also referred to as exclusion plugins. If there is such a plugin for the CMS you are using, we recommend enabling it.

Exclude rules

If the CRS is too strict for you despite the enabled plugin or if there is no plugin for your CMS, you can disable individual rules. This allows you to adapt the CRS even more precisely to your needs.

To add such an exception rule (also known as an “exclude rule”), you need the ID of that rule. You can find this in your website’s error log, which you can download via the Hostpoint Control Panel, for example. Blocked requests to your website are logged and assigned the ID of the corresponding rule in the error log. The easiest way to find the affected request is to search for the time or IP address in the file.

The following example shows a request that was blocked by the OWASP CRS. If the access is considered legitimate and you do not want such a request to be blocked, you can add the rule ID (marked in red) to the “Exclude Rule IDs”.

~/your-own-domain_logs.txt

[Tue Jan 07 02:43:43.657734 2025] [-:error] [pid 78379:tid 38756085760] ModSecurity: Warning. Matched phrase ".env" at REQUEST_FILENAME. [file "/usr/local/etc/apache24/Includes/mod_security/crs/rules/REQUEST-930-APPLICATION-ATTACK-LFI.conf"] [line "143"] [id "930130"] [msg "Restricted File Access Attempt"] [data "Matched Data: .env found within REQUEST_FILENAME: /.env"] [severity "CRITICAL"] [ver "OWASP_CRS/4.6.0"] [tag "application-multi"] [tag "language-multi"] [tag "platform-multi"] [tag "attack-lfi"] [tag "paranoia-level/1"] [tag "OWASP_CRS"] [tag "capec/1000/255/153/126"] [tag "PCI/6.5.4"] [hostname "your-own-domain.ch"] [uri "/.env"] [unique_id "Z3yGz6UWH6z-1DWgHdR_DwAAAPA"

Enabling OWASP CRS

To enable the OWASP CRS, please proceed as follows:

  1. Log into the Hostpoint Control Panel with your Hostpoint ID.
  2. Open your web hosting.
    Webhosting oeffnen en
  3. Choose “Websites” in the menu on the left.
  4. Click “Edit” for the desired website.
    → You will see an overview of the settings for the website.
  5. Scroll down to the “Web application firewall (WAF)” section and click “Edit” for “OWASP Core Rule Set (CRS)”.
    OWASP CRS aktivieren 01 en
  6. Enable the OWASP CRS.
    OWASP CRS aktivieren 02 en
  7. If you wish, you can also enable an exclusion plugin or configure Exclude Rule IDs here.

→ The OWASP CRS has been enabled.

Additional information

Detailed information on OWASP and the Core Rule Set can also be found at:

Please use this form only to provide feedback on the above guide.
For support requests please use this form instead.

 

 

© 2001 - Hostpoint AG
Cookie

Wir verwenden Cookies  🍪

We use Cookies  🍪

Nous utilisons des cookies  🍪

Utilizziamo dei cookie  🍪

Die digitalen Auftritte von Hostpoint (Website, Control Panel, Support Center etc.) verwenden Cookies. Diese werden dazu verwendet, um Daten über Besucherinteraktionen zu sammeln. Wenn Sie auf «Akzeptieren» klicken, stimmen Sie der Verwendung dieser Cookies für Werbezwecke, Website-Analyse und Support zu. Gewisse essenzielle Cookies sind jedoch für eine ordnungsgemässe Funktion dieser Seiten unerlässlich und können deshalb nicht deaktiviert werden. Auch ohne Ihre Zustimmung können gewisse Daten in anonymisierter Form für statistische Zwecke und zur Verbesserung unserer Websites verwendet werden. Bitte beachten Sie unsere Datenschutzerklärung.

Hostpoint's digital presences (website, Control Panel, Support Center, etc.) use cookies. These are used to collect data on visitor interactions. If you click “Accept”, you agree to the use of these cookies for advertising purposes, website analysis and support. However, certain cookies are essential for the proper functioning of these pages and therefore cannot be disabled. Even without your consent, certain data may be used in anonymized form for statistical purposes and to improve our websites. Please note our Privacy policy.

Le sites Web de Hostpoint (site Web, Control Panel, Centre d'assistance, etc.) utilisent des cookies. Ces cookies servent à collecter des données sur les interactions des visiteurs. En cliquant sur «Accepter», vous consentez à l’utilisation de ces cookies à des fins de publicité, d’analyse du site Web et d’assistance. Certains cookies essentiels sont cependant indispensables au bon fonctionnement de notre sites Web et ne peuvent donc pas être désactivés. Même sans votre consentement, certaines données peuvent être utilisées sous forme anonymisée à des fins statistiques et pour améliorer notre sites Web. Veuillez prendre connaissance de notre Déclaration de protection des données.

Le presenze digitali di Hostpoint (sito web, Pannello di controllo, Support Center, ecc.) utilizzano i cookie. Questi vengono utilizzati per raccogliere dati sulle interazioni dei visitatori. Facendo clic su «Accetta», acconsente all’utilizzo di questi cookie per scopi pubblicitari, di analisi del sito web e di supporto. Alcuni cookie essenziali sono tuttavia indispensabili per il corretto funzionamento di questi siti web e pertanto non possono essere disattivati. Anche senza il Suo consenso, determinati dati potrebbero essere utilizzati in forma anonima per fini statistici e per l’ottimizzazione dei nostri siti web. Si prega di tenere conto della nostra Dichiarazione per la pivacy.

Ablehnen
Decline
Refuser
Rifiuta
Akzeptieren
Accept
Accepter
Accetta